We're using Jamf as our MDM solution.  We've got Jamf configured as a SCEP Proxy in front of our MS CA which issues device authentication certificates to our iPads.   Certificates are issued successfully to iPads and are visible both on the device and in the MS Cert Services Console.

We've deployed Cisco Anyconnect client to the iPads and configured them via the MDM for per-app VPN using certificate authentication.  The certificate is set to AUTOMATIC (the only other setting being disabled) and we've created app-based rules to initiate the VPN.

This all works.  The client is deployed correctly with the configuration, and the per-app rule fires up the VPN ... up until the actual certificate authentication.  At this point AnyConnect responds with "This connection requires a client certificate, but no matching certificate could be found...."  

The certificate IS on the device, because we can see it if we create a VPN connection using the iOS native VPN settings.   I've read a lot of posts which say that AnyConnect simply cannot access the default iOS certificate store, but the release notes for the current version of AnyConnect that we're using specifically say "You may use MDM deployed certificates, as well as certificates imported using one of the methods available in AnyConnect ...".

Does anybody have any insight into how we might be able to get this working?   Thanks in advance ...!